如何检查,如果用户有写使用C#在Active Directory中的权利? [英] How can I check if a user has write rights in Active Directory using C#?
问题描述
在我的.NET 2.0的C#的applcation我需要确定用户(带密码)必须修改Active Directory(写入)选项的能力。我希望有使用的DirectoryEntry不会产生,然后在公元删除新对象的方式。
In my .NET 2.0 C# applcation I need to determine if a user (with password) has ability to modify (write) option in Active Directory. I hope there is a way using DirectoryEntry without creating and then deleting new object in AD.
感谢您的帮助。
推荐答案
如橄榄油说,这是很难把事情做对你自己。这是很难做到的,因为正确的权限可以通过Active Directory组被传递到您的用户帐户。因此,为了找出的有效的权限为特定的用户帐户,则必须找出所有组用户所属。
Like Olive said, it's difficult to do it right yourself. It's difficult to do right because the permissions can be passed onto your user account via Active Directory groups. So, in order to find out the effective permission for a particular user account, you have to find out all the groups the user belongs to.
幸运的是,Active Directory中有一种特殊类型的属性叫构造属性的。默认情况下,如果你使用的是AD资源管理器或ADSI编辑来浏览你的对象,不显示这些种属性。在ADSI编辑,您可以设置的过滤器的包括这些构造属性。其中一个有用的构造这里的属性是 allowedAttributesEffective 。这是一个多值属性,它包含了当前的用户有写权限的所有属性。它通过计算在飞行的Active Directory。它负责所有的继承,否定覆盖和组权限。如果你有写权限的 CN 的属性,你会看到的 CN 的作为价值观在里面之一。
Fortunately, Active Directory has a special type of attributes called constructed attributes. By default, if you are using AD Explorer or ADSI Edit to browse your object's, these kinds of attributes are not shown. In ADSI Edit, you can set the Filter to include these constructed attributes. One of the useful constructed attributes here is allowedAttributesEffective. It's a multi-value attribute and it contains all attributes that your current user has permission to write to. It's calculated by Active Directory on the fly. It takes care all the inheritance, deny override and group permissions. If you have permission to write to cn attribute, you will see cn as one of the values in it.
下面是用于检查特定用户的样本有写在Active Directory中的特定对象上的特定属性集的权限。
Here is a sample for checking a particular user has write permissions on a particular sets of attributes on a specific object on Active Directory.
static bool CheckWritePermission(string path, string username, string password, string[] properties)
{
using (DirectoryEntry de = new DirectoryEntry(path, username, password))
{
de.RefreshCache(new string[] {"allowedAttributesEffective"});
return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property));
}
}
是的,这不正是你想要的。你问到检查,如果用户拥有的 WriteAllProperties 的权限。事实上, WriteAllProperties 的权限是不同的属性写属性权限的集合。你可能需要做一些功课,找出哪些属性,您的应用程序真正关心。然后,就在传递这些属性。
Yes, it's not exactly what you want. You are asking to check if a user has WriteAllProperties permission. Actually, WriteAllProperties permission is a collection of write property permissions on different attributes. You may need to do some homework to find out what attributes your application really cares. Then, just pass in those attributes.
如果你真的不知道什么属性来检查,这应该是足够好
If you really have no idea what attributes to check, this one should be good enough
static bool CheckWritePermission(string path, string username, string password)
{
using (DirectoryEntry de = new DirectoryEntry(path, username, password))
{
de.RefreshCache(new string[] { "allowedAttributesEffective" });
return de.Properties["allowedAttributesEffective"].Value != null;
}
}
下面,我检查,如果返回的 allowedAttributesEffective 的为空或不是。如果为null,这意味着它没有任何权限写入任何属性。我假设你的管理员要么授予所有写属性允许或拒绝所有写属性。我觉得这是在大多数情况下,一个有效的假设。
Here, I am checking if the returned allowedAttributesEffective is null or not. If null, it means it doesn't have any permissions to write to any attributes. I am assuming your administrator would either grant all write properties permission or deny all write properties. I think this is a valid assumption in most cases.
这篇关于如何检查,如果用户有写使用C#在Active Directory中的权利?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
